Presentation of LDAP

Here it is used to facilitate user account administration. Instead of storing user accounts locally on each server, the LDAP directory stores them globally and makes them available to a group of servers.

This tutorial doesn’t explain how to set up the Automounter and the NFS services. It has been tested for RHEL 7.0, RHEL 7.1 and RHEL 7.2 (non-patched versions).

During this tutorial, try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).

Let’s assume that we use the example.com domain and the instructor.example.com hostname (this hostname should be resolved either by the /etc/hosts file or by DNS).

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Hi thanks for fantastic website. I only wish things could go smooth with me. You wrote: openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout I had to do this like this: openssl req -new -x509 -nodes -keyout /etc/openldap/certs/cert.pem Then it worked. When you wrote: Generate a LDAP password from a secret key (here redhat): slappasswd -s redhat -n > /etc/openldap/passwd I just made up non-existing file, then created some secret key with ssh-keygen and replace redhat with it. However when I’m in config /etc/openldap/changes.ldif replace password with the previously created password) then what should I do ? Put plain text… Read more »

I think we are using ldap with a TLS layer on top of it. I don’t think we are really using ldaps.
This explains why we only open the 389 port.

2 years ago

Member

tron

Thanks for the tutorial.
On the 636 port thingy, I was also surprised for not using ldaps.
I found that to enable it, you should edit /etc/sysconfig/slapd and add ldaps:/// there in SLAPD_URLS.

Also, TLSCACertificateFile should be added according to OPENLDAP documentation (same cert in the case of a Self Signed Cert)

2 years ago

Member

kevbuntu

my server works if I user ldapwhoami ldap:/// but if I use ldaps:/// I would get:

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

and if I add this to /etc/sysconfig/slapd:
SLAPD_URLS=”ldapi:/// ldaps:///”

# Any custom options
SLAPD_OPTIONS=”-g ldap”

Not even ldap:/// would work. Not quite sure how to add TLSCACertificateFile to openldap, if you believe that is the problem. but ldapwhoami ldap:/// should still work and it will if I change the /etc/sysconfig/slapd to SLAPD_URLS=”ldapi:/// ldaps:///”. Thanks for any thoughs and feedbacks.

1 year ago

Member

kevbuntu

I have solved the part with regard to SLAPD_URLS by adding “ldap:/// ldapi:/// ldaps:///” but not sure the certificated part is correct as ldpas still does not work . I followed these two links but still no joy:

Hi Dear
Do we have to configure LDAP server in the exam which you showed on this page.
because in exam objectives it says:
**Configure a system to use an existing authentication service for user and group information**

In one of the first steps, you typed # slappasswd -s redhat -n > /etc/openldap/passwd
Now, you have to paste the content of the /etc/openldap/passwd file.

2 years ago

Member

suresh

Hi CertDepot,
I have a requirement to configure LDAP in production. But i dont want to install OPENLDAP. Do we have any difference between LDAP and OPEN LDAP.. Do you have any configuration steps for LDAP.

2) Once server setup done. how do i configure ldap client, so that i can login to redhat machine with the user which i created on ldap user

This website is mainly around the RHCSA and RHCE exams, it doesn’t explain how to set up all the available tools outside this context.
However, to answer your question, besides OpenLDAP, you can look at FreeIPA that is also a LDAP server. You have two options: install the FreeIPA server with all its components (Kerberos, Apache, LDAP, DNS, etc -> https://www.certdepot.net/rhel7-configure-freeipa-server/) or only install the LDAP component called 389.

1 year ago

Member

akash.dhongde

Very good article Man I really appreciate it. I just need your help I have configured OpenLdap for my GIT server everything is going well but the only problem with the users password. For every user, I have to set a password but the users are not able to change it after. How do I force the users to change their password at first login?
Please suggest! I have googled it a lot but no possible solution found.

Would there be a similar link for ldap replication, this is very good. I am trying this site below for centos 7, seems easy but does not work. Nothing on this site ever worked for me even though looks very well put together.

Yes, during the exam, the LDAP server is already configured. You don’t need to do anything on this side.

1 year ago

Member

scryptkiddy

I wasn’t able to copy / paste the changes.ldif (I’m using VirtualBox, which doesn’t seem to allow copy/paste even though I have clipboard enabled between host and guest…). But I verified it, literally 4 times, very slowly, and its correct.

Figured it out, there was a hidden line feed that was somehow entered due to the small vbox screen… The pain we IT guys go through just to prepare a server to just prepare for an exam, lol. Dedicated bunch aren’t we?!

Now on to the client side to test my external ldap authentication skills.

SK

1 year ago

Member

sashsz

After the step: “To start the configuration of the LDAP server, add the cosine & nis LDAP schemas” I am getting this error:

I think it’s different. The OpenLDAP server configuration takes time but is a proved solution.

1 year ago

Member

samuel.sappa

Hi CertDepot,
Sorry for asking again IMHO when we install IPA server isn’t the LDAP and Kerberos automatically configured also, so we don’t have to do it manually
Again thank you for your reply and info

Yes, a lot of things are set automatically. However, on the client side, the configuration can be slightly different.
I’m not saying that it’s not possible, I only think it can be slightly different.

1 year ago

Member

n40lab

Great article indeed! Really useful for Red Hat and Linux Foundation exams, please keep up the good work!. I’d like to make a suggestion. As netstat is not installed by default in CentOS/RedHat 7 maybe you could change:

netstat -lt | grep ldap

With:

ss -ltap | grep ldap

It seems that ss replaced netstat, but of course you can still use it installing the net-tools package (yum install net-tools).

Hi, Thanks for the tutorial. I successfully configured ldap server. I’ve a silly question, while I am configuring ldap client using the gui system-config-authentication command, which certificate i need to download for the TLS encryption download CA Certificate?

1 year ago

Member

centosnoob

Hello CertDepot! Thank you very much for creating this site! I have followed your instructions step-by-step but now I am facing an issue at step “Build the structure of the directory service:” When I use this command:
ldapadd -x -w centos -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
I receive the following reply:
ldap_bind: Invalid credentials (49)
Do you know where I have gone wrong? Thank you for your time and help!

I found that the slapd service runs as the ldap user, and because of this, the directory server is unable to modify any files created by slapadd.

1 year ago

Member

wobee

The file /var/lib/ldap/DB_CONFIG is present.

The service slapd run with the ldap user.

1 year ago

Member

hallo

I’m about half way through, am now at changes.ldif

I’m using a server with a hostname in the format:
servernumber.subdomain.name.com

Can I still use dc=example,dc=com ??

Does it have to be related in any way whatsoever, to the hostname? I understand I’ll have to edit /etc/hosts of the clients I’m setting up.

1 year ago

Member

hallo

OK decided to just change static hostname on the server. Followed this guide *precisely* on a CentOS server and it’s all working now, from a CentOS client. At first I couldn’t get the LDAP client to work on Fedora, so thought maybe the server was misconfigured ? Doesn’t matter anymore. Also, in the middle, I accidentally followed your RHEL6/2014 version of this guide, on a different page, and then when I came back to this RHEL7 version, I couldn’t: systemctl start slapd But I realized that I just had to delete the olcRootPW: line from olcDatabase={2}bdb.ldif Many thanks ! Was… Read more »

Can someone even connect at all to this LDAP server setup, if they don’t have the cert.pem ?

1 year ago

Member

hallo

Do you know if it’s at all possible for an LDAP user to get access to the server’s /etc/passwd/ file, or a list of the server’s users? I’m thinking for malicious reasons.
I actually did stray from this guide when following it – where it says grep “:10[0-9][0-9]” I instead did grep ldapuser as I only wanted ldapuser01 and ldapuser02 to be shared.

No, I don’t think an LDAP user can get access to the /etc/passwd file of the server nor the users’ list.

1 year ago

Member

ntcong

Hi, Thanks for the excellent article. Question: how can I set the the access permission to each OU (organization unit) ? I mean I have installed LDAP successfully. My domain is ntcong.net, there are 2 OU : People and Group. Currently, when I use the LDAP client, I can access to LDAP server without any username/password (even if LDAP client requires username/password and I enter with invalid username/password, it can access to LDAP server too) So how can I set the username1 can access to ou: People but this user (username1) cannot access to ou: Group ? I am using… Read more »

When you say you can access LDAP server without authentication, do you mean you can bind with invalid password, or you can actually read data with invalid password? You are likely going to need to restrict access, the folloing may work (depending on your LDAP setup obviously): * by dn=”cn=admin,dc=top” write by dn=”cn=autobind,dc=top” read by self write by users read by anonymous auth by * none So the above means that admin can write, autobind can read, anonymous users are provided access to the userPassword attribute for the initial connection to occur, and all users have read access to their… Read more »

1 year ago

Member

Peatross

I ran into the same problem as others with the error:ldap_bind: Invalid credentials (49) I got it to work, but didn’t troubleshoot too much after I got it to work, I’ll leave that to smarter people. So, what I did was change olcRootPW: in changes.ldif to just plain text redhat: olcRootPW:redhat That worked after running: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif and then: ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif just because I was curious, after which I tried again with a newly created hash with the command: slappasswd -s redhat and copied the result from the console… Read more »

If you enabled LDAP authentication globally through PAM and configured /etc/pam.d/passwd, then a user can change his own LDAP password through the passwd command like it’s common for local Unix accounts.

Great! Followed the steps and everything is working fine. Thank you. But it would be even better if certdepot provides (in this website itself. not in third party websites) the steps for AutoFS and NFS Server configuration steps to mount the ldapusers’ home directories when needed.